We've collected together some of the questions we've been asked or have heard being asked at the many seminars and sessions we've attended. The responses below are from our our experiences but as with anything like this you should always seek legal advice. We're just here to help but we're not lawyers.
- What does GDPR stand for?
General Data Protection regulation
- What's it for?
It's aimed at companies that handle personal data to ensure that they use the data for its intended purpose and that they do as much as they can to look after that data.
- Don't we already have the DPA?
The new GDPR is replacing the DPA (Data Protection Act) which was implemented back in 1998, way before we had things like Google, Smartphones, Facebook, Webcams and a huge reliance on email. The GDPR has more up to date controls to help protect personal data for EU citizens
- Who does it protect?
It's aimed at protecting EU citizens
- Why should I/we bother doing this?
Most companies talk about fines, this is the headline catcher but the two biggest reasons we see are:-
Would you want to deal with a company that didn't take care over your personal data? I wouldn't. for example, say you went to see a counsellor to help with anxiety or the loss of a relative. All your personal notes are typed up after your meeting. The counsellor doesn’t really take care of the printed copies and they're left in a coffee shop. I'd like to know that a company that has access to my data is taking steps to look after it. whether it's about my health or just my email address or mobile (hence all the spam calls and emails we all receive).
- It's a Regulation not a Guideline
So you have to comply. Like tax, it's not something you can ignore.
- So it's an IT issue?
No not at all. Companies need to protect paper based systems in the same way that they try to protect their IT systems.
- Does it affect my company?
Almost undoubtedly yes. We've not heard of a company that deals with EU citizens that won't have to comply with the GDPR. Even companies that are based overseas (e.g. China, USA, Brazil etc) that handle data for EU citizens have to comply.
- When does the new GDPR come into effect?
It comes into effect on May 25th 2018 and has been in the pipeline for 2 years now.
- Do I/we have to be compliant by May 25th?
Ideally as compliant as possible. However, if you haven't started working on things yet (with 1 month to go) then it's unlikely that you'll cover everything within a month. Most small companies are just being advised by the 'experts' to do as much as they can and ensure that their staff are aware and ideally receive training on the GDPR.
- What do we have to do?
There are several things you need to do. We have put together our own 10 point checklist following the work we've done over the past 12 months.
- Is there a form I can just fill in?
Unfortunately not. Although lots of companies are starting to provide some templates and applications to track policies, procedures, forms, breach templates for DSAR's, PIA's, Breach Notification etc and training etc. We've looked at lots of them from free to ridiculous and will add some of these to our Useful Resources article if we feel that they're of any use. If you would like to discuss any of theses resources please call us.
- Do companies just want to make money out of this?
Yes they do and there are plenty of them out there already. Some good, some bad. We've decided to do as much as we can ahead of the so called 'deadline' in May in order to provide information to customers about what we've done. We're not lawyers so we don't want to misguide our customers or start selling products and services and certainly don't want to scare companies with news about fines. Therefore, we hope the information we add to our knowledge base will help as a start.
- Can't Cambridge Helpdesk make us compliant?
We can help in areas that you want us to assist with but we don't have control over your systems and processes or your data. One area that we can directly help is with Cyber Essentials. This is an excellent starting point for all companies to demonstrate their willingness to be GDPR and security compliant. It's been around since 2014 and is a government initiative. We think lots of businesses and consumers will start to look for the Cyber Essentials Accreditation badge in the coming months.
- Do I have to check that all my suppliers are GDPR compliant?
As far as we've been made aware, yes. We have contacted all of our suppliers and partners to check that they're GDPR compliant and they have all passed the test so far.
- I've had a think about this and I really don't think we store or process any personal data?
- If you have employees then you do hold/process personal data (Payroll, Holidays, Benefits etc).
- If you send emails to 'consumers' about your products (e.g. Marketing emails) then you 're processing personal data.
- If you have a website you will also have some work to do.
- Perhaps you have a CCTV system - if you do, you'd need to look into this as well.
- There are so many acronyms and complicated 'legal speak' , I thought this was supposed to simplify things?
The guidelines for things like Privacy Statements, Cookie Policies, Signing up to mailing lists etc states that it should all be easy to read and understand. Unfortunately the actual guidelines themselves are long, complicated and currently quite confusing for most. There are also lots of acronyms too - sometimes more than one for the same thing. such as SAR and DSAR - these both relate to 'Data Subject Access Request' and we've seen both banded around. We've added a list of acronyms here.
We hope you found this useful. If you did please could you rate this article below.